NNT CIS Microsoft Windows Server 2008 R2 Benchmark Level 1 Domain Controller v
|
|
- Chastity Lewis
- 8 years ago
- Views:
Transcription
1 NNT CIS Microsoft Windows Server 2008 R2 Benchmark Level 1 Domain Controller v : WIN-0DQG5HQ18AD On WIN-0DQG5HQ18AD - By admin for time period 9/20/ :31:02 PM to 9/20/ :31:02 PM NNT CIS Microsoft Windows Server 2008 R2 Benchmark Level 1 Domain Controller v Total score: % 127 out of 229 rules passed 0 out of 229 rules did not pass completely 102 out of 229 rules failed This report was designed for auditing compliance with the CIS Microsoft Windows Server 2008 R2 Benchmark v (Level 1 Domain Controller profile)] Items in this profile apply to Domain Controllers and intend to: be practical and prudent; provide a clear security benefit; and not inhibit the utility of the technology beyond acceptable means. Windows Settings Security Settings-System Services Rules Set 'Windows Update' to 'Automatic' Description: Enables the detection, download, and installation ofupdates for Windows and other programs. If this service is disabled, users ofthis computer will not be able to use Windows Update or its automatic updatingfeature, and programs will not be able to use the Windows Update Agent (WUA)API. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 1
2 Set 'Windows Event Log' to 'Automatic' Description: This service manages events and event logs. It supportslogging events, querying events, subscribing to events, archiving event logs,and managing event metadata. It can display events in both XML and plain textformat. Stopping this service may compromise security and reliability of thesystem. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Base Filtering Engine' to 'Automatic' Description: The Base Filtering Engine (BFE) is a service thatmanages firewall and Internet Protocol security (IPsec) policies and implementsuser mode filtering. Stopping or disabling the BFE service will significantlyreduce the security of the system. It will also result in unpredictablebehavior in IPsec management and firewall applications. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 2
3 Set 'Plug and Play' to 'Automatic' Description: Enables a computer to recognize and adapt to hardwarechanges with little or no user input. Stopping or disabling this service willresult in system instability. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'TCP/IP NetBIOS Helper' to 'Automatic' Description: Provides support for the NetBIOS over TCP/IP (NetBT)service and NetBIOS name resolution for clients on the network, thereforeenabling users to share files, print, and log on to the network. If thisservice is stopped, these functions might be unavailable. If this service isdisabled, any services that explicitly depend on it will fail tostart. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 3
4 Set 'IKE and AuthIP IPsec Keying Modules' to 'Automatic' Description: The IKEEXT service hosts the Internet Key Exchange(IKE) and Authenticated Internet Protocol (AuthIP) keying modules. These keyingmodules are used for authentication and key exchange in Internet Protocolsecurity (IPsec). Stopping or disabling the IKEEXT service will disable IKE andauthip key exchange with peer computers. IPsec is typically configured to useike or AuthIP; therefore, stopping or disabling the IKEEXT service might resultin an IPsec failure and might compromise the security of the system. It isstrongly recommended that you have the IKEEXT service running. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Security Accounts Manager' to 'Automatic' Description: The startup of this service signals other services thatthe Security Accounts Manager (SAM) is ready to accept requests. Disabling thisservice will prevent other services in the system from being notified when thesam is ready, which may in turn cause those services to fail to startcorrectly. This service should not be disabled. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 4
5 Set 'Power' to 'Automatic' Description: Enables a computer to recognize and adapt to hardwarechanges with little or no user input. Stopping or disabling this service willresult in system instability. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Network List Service' to 'Automatic' Description: Identifies the networks to which the computer hasconnected, collects and stores properties for these networks, and notifiesapplications when these properties change. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Fail: Set 'Network List Service' to 'Automatic' :.'3'. Remediation: To implement the recommended configuration state, set the following Group Policy setting to 2. Computer Configuration\Windows Settings\Security Settings\System Services\Network List ServiceImpact:If some services (such as the Security Accounts Manager) are disabled, you will not be able to restart the computer. If other critical services are disabled, the computer may not be able to authenticate with domain controllers. If you wish to disable some system services, you should test the changed settings on non-production computers before you change them in a production environment. It is also possible to alter the access control list (ACL) for a service, however do so with caution because unexpected results may arise. For example, changing the default permissions may cause enterprise management software to lose the ability to query the state of that service. 9/24/ :53:23 AM 5
6 Set 'Microsoft Fibre Channel Platform Registration Service' to 'Automatic' Description: Registers the platform with all available Fibre Channelfabrics, and maintains the registrations. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Fail: Set 'Microsoft Fibre Channel Platform Registration Service' to 'Automatic' :.'3'. Remediation: To implement the recommended configuration state, set the following Group Policy setting to 2. Computer Configuration\Windows Settings\Security Settings\System Services\Microsoft Fibre Channel Platform Registration ServiceImpact:If some services (such as the Security Accounts Manager) are disabled, you will not be able to restart the computer. If other critical services are disabled, the computer may not be able to authenticate with domain controllers. If you wish to disable some system services, you should test the changed settings on non-production computers before you change them in a production environment. It is also possible to alter the access control list (ACL) for a service, however do so with caution because unexpected results may arise. For example, changing the default permissions may cause enterprise management software to lose the ability to query the state of that service Set 'Software Protection' to 'Automatic' Description: Enables the download, installation and enforcement ofdigital licenses for Windows and Windows applications. If the service isdisabled, the operating system and licensed applications may run in a reducedfunction mode. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 6
7 Set 'Network Store Interface Service' to 'Automatic' Description: This service delivers network notifications (e.g.interface addition/deleting etc) to user mode clients. Stopping this servicewill cause loss of network connectivity. If this service is disabled, any otherservices that explicitly depend on this service will fail tostart. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Windows Firewall' to 'Automatic' Description: Windows Firewall helps protect your computer bypreventing unauthorized users from gaining access to your computer through theinternet or a network. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 7
8 Set 'COM+ Event System' to 'Automatic' Description: Supports System Event Notification Service (SENS),which provides automatic distribution of events to subscribing Component ObjectModel (COM) components. If the service is stopped, SENS will close and will notbe able to provide logon and logoff notifications. If this service is disabled,any services that explicitly depend on it will fail to start. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Remote Procedure Call (RPC)' to 'Automatic' Description: Serves as the endpoint mapper and COM Service ControlManager. If this service is stopped or disabled, programs using COM or RemoteProcedure Call (RPC) services will not function properly. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 8
9 Set 'DCOM Server Process Launcher' to 'Automatic' Description: Provides launch functionality for DCOMservices. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'User Profile Service' to 'Automatic' Description: This service is responsible for loading and unloadinguser profiles. If this service is stopped or disabled, users will no longer beable to successfully logon or logoff, applications may have problems getting tousers' data, and components registered to receive profile event notificationswill not receive them. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Shell Hardware Detection' to 'Automatic' Description: Provides notifications for AutoPlay hardwareevents. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 9
10 Set 'Windows Management Instrumentation' to 'Automatic' Description: Provides a common interface and object model to accessmanagement information about operating system, devices, applications andservices. If this service is stopped, most Windows-based software will notfunction properly. If this service is disabled, any services that explicitlydepend on it will fail to start. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Group Policy Client' to 'Automatic' Description: The service is responsible for applying settingsconfigured by administrators for the computer and users through the GroupPolicy component. If the service is stopped or disabled, the settings will notbe applied and applications and components will not be manageable through GroupPolicy. Any components or applications that depend on the Group Policycomponent might not be functional if the service is stopped ordisabled. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 10
11 Set 'IP Helper' to 'Automatic' Description: Provides automatic IPv6 connectivity over an IPv4network. If this service is stopped, the machine will only have IPv6connectivity if it is connected to a native IPv6 network. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Cryptographic Services' to 'Automatic' Description: Provides four management services: Catalog DatabaseService, which confirms the signatures of Windows files and allows new programsto be installed; Protected Root Service, which adds and removes Trusted RootCertification Authority certificates from this computer; Automatic RootCertificate Update Service, which retrieves root certificates from WindowsUpdate and enable scenarios such as SSL; and Key Service, which helps enrollthis computer for certificates. If this service is stopped, these managementservices will not function properly. If this service is disabled, any servicesthat explicitly depend on it will fail to start. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 11
12 Set 'Remote Registry' to 'Automatic' Description: Enables remote users to modify registry settings onthis computer. If this service is stopped, the registry can be modified only byusers on this computer. If this service is disabled, any services thatexplicitly depend on it will fail to start. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Workstation' to 'Automatic' Description: Creates and maintains client network connections toremote servers using the SMB protocol. If this service is stopped, theseconnections will be unavailable. If this service is disabled, any services thatexplicitly depend on it will fail to start. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 12
13 Set 'DFS Replication' to 'Automatic' Description: Enables you to synchronize folders on multiple serversacross local or wide area network (WAN) network connections. This service usesthe Remote Differential Compression (RDC) protocol to update only the portionsof files that have changed since the last replication. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. No data collected for oval:org.cisecurity.benchmarks.microsoft_windows_server_2008:obj:1026 (Check that 'DFS Replication' is configured to 'Automatic') Set 'Windows Time' to 'Automatic' Description: Maintains date and time synchronization on all clientsand servers in the network. If this service is stopped, date and timesynchronization will be unavailable. If this service is disabled, any servicesthat explicitly depend on it will fail to start. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Fail: Set 'Windows Time' to 'Automatic' :.'3'. Remediation: To implement the recommended configuration state, set the following Group Policy setting to 2. Computer Configuration\Windows Settings\Security Settings\System Services\Windows TimeImpact:If some services (such as the Security Accounts Manager) are disabled, you will not be able to restart the computer. If other critical services are disabled, the computer may not be able to authenticate with domain controllers. If you wish to disable some system services, you should test the changed settings on non-production computers before you change them in a production environment. It is also possible to alter the access control list (ACL) for a service, however do so with caution because unexpected results may arise. For example, changing the default permissions may cause enterprise management software to lose the ability to query the state of that service. 9/24/ :53:23 AM 13
14 Set 'Desktop Window Manager Session Manager' to 'Automatic' Description: Provides Desktop Window Manager startup and maintenanceservices Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Task Scheduler' to 'Automatic' Description: Enables a user to configure and schedule automatedtasks on this computer. If this service is stopped, these tasks will not be runat their scheduled times. If this service is disabled, any services thatexplicitly depend on it will fail to start. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2' Set 'Network Location Awareness' to 'Automatic' Description: Collects and stores configuration information for thenetwork and notifies programs when this information is modified. If thisservice is stopped, configuration information might be unavailable. If thisservice is disabled, any services that explicitly depend on it will fail tostart. Rationale: Any service or application is a potential point ofattack. Therefore, you should disable or remove any unneeded services orexecutable files in your environment. There are additional optional servicesavailable in Windows that are not installed during a default installation ofthe operating system. Depending on the version of Windows you can add theseoptional services to an existing computer through Add/Remove Programs incontrol Panel, Programs and Features in Control Panel, Server Manager, or theconfigure Your Server Wizard. Important: If you enable additional services,they may depend on other services. Add all of the services that are needed fora specific server role to the policy for the server role that it performs inyour organization. Pass: Rule passed : '2'. 9/24/ :53:23 AM 14
15 Computer Configuration - Windows Settings - Security Settings - Local Policies Security Options Set 'Network security: Allow Local System to use computer identity for NTLM' to 'Enabled' Description: This policy setting allows Local System servicesthat use Negotiate to use the computer identity when reverting to NTLMauthentication. This policy is supported on at least Windows 7 or WindowsServer 2008 R2. Rationale: When connecting to computers running versions ofwindows earlier than Windows Vista or Windows Server 2008, services runningas Local System and using SPNEGO (Negotiate) that revert to NTLM use thecomputer identity. In Windows 7, if you are connecting to a computer runningwindows Server 2008 or Windows Vista, then a system service uses either thecomputer identity or a NULL session. When connecting with a NULL session, asystem-generated session key is created, which provides no protection butallows applications to sign and encrypt data without errors. When connectingwith the computer identity, both signing and encryption is supported inorder to provide data protection. No data collected for oval:org.cisecurity.benchmarks.microsoft_windows_server_2008:obj:1031 (Check that 'Network security: Allow Local System to use computer identity for NTLM' is configured to 'Enabled') Check 'Recovery console: Allow floppy copy and access to all drives and all folders' to 'Disabled' Description: This policy setting makes the Recovery Console SET command available, which allows you to set the following recovery console environment variables:. AllowWildCards. Enables wildcard support for some commands (such as the DEL command).. AllowAllPaths. Allows access to all files and folders on the computer.. AllowRemovableMedia. Allows files to be copied to removable media, such as a floppy disk.. NoCopyPrompt. Does not prompt when overwriting an existing file. Rationale: An attacker who can cause the system to restart into the Recovery Console could steal sensitive data and leave no audit or access trail. Impact: Users who have started a server through the Recovery Console and logged in with the built-in Administrator account will not be able to copy files and folders to a floppy disk. Pass: Configuration setting defined local security policy (0). 9/24/ :53:23 AM 15
16 Set 'Network security: Allow LocalSystem NULL session fallback' to 'Disabled' Description: Allow NTLM to fall back to NULL session when usedwith LocalSystem. The default is TRUE up to Windows Vista and FALSE inwindows 7. Rationale: NULL sessions are less secure because by definitionthey are unauthenticated. No data collected for oval:org.cisecurity.benchmarks.microsoft_windows_server_2008:obj:1033 (Check that 'Network security: Allow LocalSystem NULL session fallback' is configured to 'Disabled') Set 'Domain controller: LDAP server signing requirements' to 'Require signing' Description: This policy setting determines whether thelightweight Directory Access Protocol (LDAP) server requires LDAP clients tonegotiate data signing. Rationale: Unsigned network traffic is susceptible toman-in-the-middle attacks. In such attacks, an intruder captures packetsbetween the server and the client, modifies them, and then forwards them tothe client. Where LDAP servers are concerned, an attacker could cause aclient to make decisions that are based on false records from the LDAPdirectory. To lower the risk of such an intrusion in an organization'snetwork, you can implement strong physical security measures to protect thenetwork infrastructure. Also, you could implement Internet Protocol security(ipsec) authentication header mode (AH), which performs mutualauthentication and packet integrity for IP traffic to make all types ofman-in-the-middle attacks extremely difficult. No data collected for oval:org.cisecurity.benchmarks.microsoft_windows_server_2008:obj:1035 (Check that 'Domain controller: LDAP server signing requirements' is configured to 'Require signing') Set 'Devices: Allow undock without having to log on' to 'Disabled' Description: This policy setting determines whether a portablecomputer can be undocked if the user does not log on to the system. Enablethis policy setting to eliminate a Logon requirement and allow use of anexternal hardware eject button to undock the computer. If you disable thispolicy setting, a user must log on and have been assigned the Removecomputer from docking station user right to undock thecomputer. Rationale: If this policy setting is enabled, anyone withphysical access to portable computers in docking stations could remove themand possibly tamper with them. Fail: Set 'Devices: Allow undock without having to log on' to 'Disabled' :.'1'. Remediation: To implement the recommended configuration state, set the following Group Policy setting to 0. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Allow undock without having to log onimpact:users who have docked their computers will have to log on to the local console before they can undock their computers. For computers that do not have docking stations, this policy setting will have no impact. 9/24/ :53:23 AM 16
17 Set 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' to 'Prompt for consent for non-windows binaries' Description: This policy setting controls the behavior of the elevation prompt for administrators. The options are:. Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.. Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.. Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.. Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.. Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.. Prompt for consent for non-windows binaries: (Default) When an operation for a non-microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. Rationale: One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so. Impact: This policy setting controls the behavior of the elevation prompt for administrators. Pass: Configuration setting defined local security policy (5) Set 'Devices: Allowed to format and eject removable media' to 'Administrators' Description: This policy setting determines who is allowed toformat and eject removable media. You can use this policy setting to preventunauthorized users from removing data on one computer to access it onanother computer on which they have local administratorprivileges. Rationale: Users may be able to move data on removable disks to adifferent computer where they have administrative privileges. The user couldthen take ownership of any file, grant themselves full control, and view ormodify any file. The fact that most removable storage devices will ejectmedia by pressing a mechanical button diminishes the advantage of thispolicy setting. No data collected for oval:org.cisecurity.benchmarks.microsoft_windows_server_2008:obj:1038 (Check that 'Devices: Allowed to format and eject removable media' is configured to 'Administrators') 'Network security: LAN Manager authentication level' must be set to 'Send NTLMv2 response only/refuse LM' Description: LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include 9/24/ :53:23 AM 17
18 transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations:. Join a domain. Authenticate between Active Directory forests. Authenticate to down-level domains. Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP). Authenticate to computers that are not in the domain The possible values for the Network security: LAN Manager authentication level setting are:. Send LM and NTLM responses. Send LM and NTLM use NTLMv2 session security if negotiated. Send NTLM responses only. Send NTLMv2 responses only. Send NTLMv2 responses only\refuse LM. Send NTLMv2 responses only\refuse LM and NTLM. Not Defined The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the authentication level that servers accept as follows:. Send LM and NTLM responses. Clients use LM and NTLM authentication and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Send LM and NTLM use NTLMv2 session security if negotiated. Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Send NTLM response only. Clients use NTLM authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Send NTLMv2 response only. Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Send NTLMv2 response only\refuse LM. Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).. Send NTLMv2 response only\refuse LM and NTLM. Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). These settings correspond to the levels discussed in other Microsoft documents as follows:. Level 0 Send LM and NTLM response; never use NTLMv2 session security. Clients use LM and NTLM authentication, and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Level 1 Use NTLMv2 session security if negotiated. Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Level 2 Send NTLM response only. Clients use only NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Level 3 Send NTLMv2 response only. Clients use NTLMv2 authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.. Level 4 Domain controllers refuse LM responses. Clients use NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers refuse LM authentication, that is, they accept NTLM and NTLMv2.. Level 5 Domain controllers refuse LM and NTLM responses (accept only NTLMv2). Clients use NTLMv2 authentication, use and NTLMv2 session security if the server supports it. Domain controllers refuse NTLM and LM authentication (they accept only NTLMv2). Rationale: In Windows Vista, this setting is undefined. However, in Windows 2000, Windows Server 2003, and Windows XP clients are configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default setting on servers allows all clients to authenticate with servers and use their resources. However, this means that LM responses the weakest form of authentication response are sent over the network, and it is potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for earlier clients and servers, Windows-based clients and servers that are members of the domain will use 9/24/ :53:23 AM 18
19 the Kerberos authentication protocol to authenticate with Windows Server 2003 domain controllers. No usable Number data collected for securitypolicy_se_lsa_lmcompatibilitylevel Set 'Domain controller: Refuse machine account password changes' to 'Disabled' Description: This security setting determines whether domaincontrollers will refuse requests from member computers to change computeraccount passwords. By default, member computers change their computeraccount passwords every 30 days. If enabled, the domain controller willrefuse computer account password change requests. If it is enabled, thissetting does not allow a domain controller to accept any changes to acomputer account's password. Default: This policy is not defined, whichmeans that the system treats it as Disabled. Rationale: If you enable this policy setting on all domaincontrollers in a domain, domain members will not be able to change theircomputer account passwords, and those passwords will be more susceptible toattack. No data collected for oval:org.cisecurity.benchmarks.microsoft_windows_server_2008:obj:1040 (Check that 'Domain controller: Refuse machine account password changes' is configured to 'Disabled') 'User Account Control: Run all administrators in Admin Approval Mode' must be set to 'Enabled' Description: This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are:. Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.. Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. Rationale: This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system. Pass: Configured Setting is local security policy (1). 9/24/ :53:23 AM 19
20 Set 'Domain controller: Allow server operators to schedule tasks' to 'Disabled' Description: This policy setting determines whether members ofthe Server Operators group are allowed to submit jobs by means of the ATschedule facility. The impact of this policy setting configuration should besmall for most organizations. Users, including those in the Server Operatorsgroup, will still be able to create jobs by means of the Task SchedulerWizard, but those jobs will run in the context of the account with which theuser authenticates when they set up the job. Note: An AT Service Account canbe modified to select a different account rather than the LOCAL SYSTEMaccount. To change the account, open System Tools, click Scheduled Tasks,and then click Accessories folder. Then click AT Service Account on theadvanced menu. Rationale: If you enable this policy setting, jobs that arecreated by server operators by means of the AT service will execute in thecontext of the account that runs that service. By default, that is the localsystem account. If you enable this policy setting, server operators couldperform tasks that SYSTEM is able to do but that they would typically not beable to do, such as add their account to the local Administratorsgroup. No data collected for oval:org.cisecurity.benchmarks.microsoft_windows_server_2008:obj:1042 (Check that 'Domain controller: Allow server operators to schedule tasks' is configured to 'Disabled') 'User Account Control: Admin Approval Mode for the Built-in Administrator account' must be set to 'Enabled' Description: This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are:. Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.. Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. Rationale: One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named "Administrator" because that user account was created for all installations of Windows. To address this risk, in Windows Vista the built-in Administrator account is disabled. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways:. If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.. If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows Vista is installed, the built-in Administrator account may be enabled, but we strongly recommend that this account remain disabled. Fail: Configured Setting is local security policy (0) Remediation: To implement the recommended configuration state, set the following Group Policy setting to 1. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account. 9/24/ :53:23 AM 20
NNT CIS Microsoft Windows Server 2008 R2 Benchmark Level 1 Member Server v2-1-0-2
NNT CIS Microsoft Windows Server 2008 R2 Benchmark Level 1 Member Server v2-1-0-2: NNTDC01 On NNTDC01 - By admin for time period 5/23/2014 8:49:51 AM to 5/23/2014 8:49:51 AM NNT CIS Microsoft Windows Server
More informationWindows 7 Core Services: Application Experience. Application Information. Background Intelligent Transfer. Base Filtering Engine.
Yegor Hanov EECS710, Fall 2012 Homework Assignment 10/23/12 Assignment 2: Core Windows 7 Services I reviewed the list of active services running on my laptop during normal operation. The list [1] contains
More informationWindows Server 2003 default services
Windows Server 2003 default services To view a description for a particular service, hover the mouse pointer over the service in the Name column. The descriptions included here are based on Microsoft documentation.
More informationWindows Server 2008/2012 Server Hardening
Account Policies Enforce password history 24 Maximum Password Age - 42 days Minimum Password Age 2 days Minimum password length - 8 characters Password Complexity - Enable Store Password using Reversible
More informationSECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)
WHITE PAPER SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) INTRODUCTION This document covers the recommended best practices for hardening a Cisco Personal Assistant 1.4(x) server. The term
More informationWeb. Security Options Comparison
Web 3 Security Options Comparison Windows Server 2003 provides a number of Security Options that can be applied within the scope of managing a GPO. Most are the same as those available in Windows 2000.
More informationDefense Security Service Office of the Designated Approving Authority
Defense Security Service Office of the Designated Approving Authority Baseline Technical Security Configuration of Microsoft Windows 7 and Microsoft Server 2008 R2 Version 1.0 Title Page Document Name:
More informationNetworking Best Practices Guide. Version 6.5
Networking Best Practices Guide Version 6.5 Summer 2010 Copyright: 2010, CCH, a Wolters Kluwer business. All rights reserved. Material in this publication may not be reproduced or transmitted in any form
More informationWindows Advanced Audit Policy Configuration
Windows Advanced Audit Policy Configuration EventTracker v7.x Publication Date: May 6, 2014 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com Abstract This document describes auditing
More informationThis section provides a summary of using network location profiles to identify network connection types. Details include:
Module 7 Network Access and Security In Module 7 students will learn several strategies for controlling network access and enhancing network security. These will include: controlling network location profiles,
More informationClick Studios. Passwordstate. Installation Instructions
Passwordstate Installation Instructions This document and the information controlled therein is the property of Click Studios. It must not be reproduced in whole/part, or otherwise disclosed, without prior
More informationHow To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment
How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment How To - Implement Clientless Single Sign On Authentication with Active Directory Applicable
More informationHow To - Implement Clientless Single Sign On Authentication with Active Directory
How To Implement Clientless Single Sign On in Single Active Directory Domain Controller Environment How To - Implement Clientless Single Sign On Authentication with Active Directory Applicable Version:
More informationClick Studios. Passwordstate. Installation Instructions
Passwordstate Installation Instructions This document and the information controlled therein is the property of Click Studios. It must not be reproduced in whole/part, or otherwise disclosed, without prior
More informationStep-by-Step Guide to Setup Instant Messaging (IM) Workspace Datasheet
Step-by-Step Guide to Setup Instant Messaging (IM) Workspace Datasheet CONTENTS Installation System requirements SQL Server setup Setting up user accounts Authentication mode Account options Import from
More informationExploiting Transparent User Identification Systems
Exploiting Transparent User Identification Systems Wayne Murphy Benjamin Burns Version 1.0a 1 CONTENTS 1.0 Introduction... 3 1.1 Project Objectives... 3 2.0 Brief Summary of Findings... 4 3.0 Background
More informationKASPERSKY LAB. Kaspersky Administration Kit version 6.0. Administrator s manual
KASPERSKY LAB Kaspersky Administration Kit version 6.0 Administrator s manual KASPERSKY ADMINISTRATION KIT VERSION 6.0 Administrator s manual Kaspersky Lab Visit our website: http://www.kaspersky.com/
More information1.1.1.1.2.1 Set 'Reset account lockout counter after' to '15' or more
NNT CIS Server 2003 Benchmark_v3.1.0 Level 1 Member Server: NNT-2003-32-BIT On NNT-2003-32-BIT - By admin for time period 28/07/2014 13:43:41 to 28/07/2014 13:43:41 NNT CIS Server 2003 Benchmark_v3.1.0
More informationCIS Microsoft Windows 7 Benchmark. v2.1.0-12-03-2013. http://benchmarks.cisecurity.org
CIS Microsoft Windows 7 Benchmark v2.1.0-12-03-2013 http://benchmarks.cisecurity.org The CIS Security Benchmarks division provides consensus-oriented information security products, services, tools, metrics,
More informationService Name Startup Type Log On As. ActiveX Installer (AxInstSV) Manual Local System. Adaptive Brightness Manual Local Service
Did you tweak the Services configuration incorrectly, resulting in a system slowdown or leading to other catastrophe? And you don t remember the original configuration to revert back? You may find the
More informationLesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment
Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment (Exam 70-290) Table of Contents Table of Contents... 1 Course Overview... 2 Section 0-1: Introduction... 4
More informationDefense Security Service Industrial Security Field Operations NISP Authorization Office. Technical Assessment Guide for Windows 7 Operating System
Defense Security Service Industrial Security Field Operations NISP Authorization Office Technical Assessment Guide for Windows 7 Operating System February 2016 Revision Log Date Revision Description of
More informationNNT PCI DSS Microsoft Windows Server 2012 R2 Benchmark 12/17/2015 12:37
NNT PCI DSS Microsoft Windows Server 2012 R2 Benchmark 12/17/2015 12:37 Compliance Score : 89.81% 370 of 412 rules passed 0 of 412 rules partially passed 42 of 412 rules failed Detailed PCI DSS v3.1 Requirements
More informationPearl Echo Installation Checklist
Pearl Echo Installation Checklist Use this checklist to enter critical installation and setup information that will be required to install Pearl Echo in your network. For detailed deployment instructions
More informationGlobalSCAPE DMZ Gateway, v1. User Guide
GlobalSCAPE DMZ Gateway, v1 User Guide GlobalSCAPE, Inc. (GSB) Address: 4500 Lockhill-Selma Road, Suite 150 San Antonio, TX (USA) 78249 Sales: (210) 308-8267 Sales (Toll Free): (800) 290-5054 Technical
More informationUnivention Corporate Server. Operation of a Samba domain based on Windows NT domain services
Univention Corporate Server Operation of a Samba domain based on Windows NT domain services 2 Table of Contents 1. Components of a Samba domain... 4 2. Installation... 5 3. Services of a Samba domain...
More information6WRUP:DWFK. Policies for Dedicated SQL Servers Group
OKENA 71 Second Ave., 3 rd Floor Waltham, MA 02451 Phone 781 209 3200 Fax 781 209 3199 6WRUP:DWFK Policies for Dedicated SQL Servers Group The sample policies shipped with StormWatch address both application-specific
More informationMCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features
MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security
More informationMetalogix SharePoint Backup. Advanced Installation Guide. Publication Date: August 24, 2015
Metalogix SharePoint Backup Publication Date: August 24, 2015 All Rights Reserved. This software is protected by copyright law and international treaties. Unauthorized reproduction or distribution of this
More informationWatchGuard Mobile User VPN Guide
WatchGuard Mobile User VPN Guide Mobile User VPN establishes a secure connection between an unsecured remote host and a protected network over an unsecured network using Internet Protocol Security (IPSec).
More informationWalton Centre. Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure
Page 1 Walton Centre Access and Authentication (network) Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure Page 2 Table of Contents Section
More informationSecurity Options... 1
Effective Server Security Options Period: Last 20 week(s) Generated: For: Brian Bartlett bbartlett@ecora.com By: Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Using: Customized FFR Definition
More informationServices Summary... 1
Services Report By Service Name Period: Last 20 week(s) Generated: For: Internal Auditor InternalAuditor@ecora.com By: Ecora Auditor Professional 4.5 - Windows Module 4.5.8063.19200 Using: FFR Definition
More informationILTA HANDS ON Securing Windows 7
Securing Windows 7 8/23/2011 Table of Contents About this lab... 3 About the Laboratory Environment... 4 Lab 1: Restricting Users... 5 Exercise 1. Verify the default rights of users... 5 Exercise 2. Adding
More informationDefault configuration for the Workstation service and the Server service
Article ID: 887429 - Last Review: November 30, 2007 - Revision: 2.4 Overview of Message Block signing INTRODUCTION This article describes Message Block (SMB) signing. SMB signing is a security mechanism
More informationFireSIGHT User Agent Configuration Guide
Version 2.2 August 20, 2015 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL
More information6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access
OKENA 71 Second Ave., 3 rd Floor Waltham, MA 02451 Phone 781 209 3200 Fax 781 209 3199 6WRUP:DWFK Policies for Dedicated IIS Web Servers Group The policies shipped with StormWatch address both application-specific
More informationCIS Microsoft Windows Server 2012. v1.0.0. Benchmark
CIS Microsoft Windows Server 2012 v1.0.0 Benchmark 01-31-2013 The CIS Security Benchmarks division provides consensus-oriented information security products, services, tools, metrics, suggestions, and
More informationConfiguring Security Features of Session Recording
Configuring Security Features of Session Recording Summary This article provides information about the security features of Citrix Session Recording and outlines the process of configuring Session Recording
More informationCourse Description. Course Audience. Course Outline. Course Page - Page 1 of 12
Course Page - Page 1 of 12 Windows 7 Enterprise Desktop Support Technician M-50331 Length: 5 days Price: $2,795.00 Course Description This five-day instructor-led course provides students with the knowledge
More informationNETWRIX IDENTITY MANAGEMENT SUITE
NETWRIX IDENTITY MANAGEMENT SUITE FEATURES AND REQUIREMENTS Product Version: 3.3 February 2013. Legal Notice The information in this publication is furnished for information use only, and does not constitute
More informationThe SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.
WatchGuard SSL v3.2 Release Notes Supported Devices SSL 100 and 560 WatchGuard SSL OS Build 355419 Revision Date January 28, 2013 Introduction WatchGuard is pleased to announce the release of WatchGuard
More informationMCSA Security + Certification Program
MCSA Security + Certification Program 12 credit hours 270 hours to complete certifications Tuition: $4500 Information technology positions are high-demand occupations that support virtually all industries.
More informationDeploying Microsoft RemoteFX on a Single Remote Desktop Virtualization Host Server Step-by-Step Guide
Deploying Microsoft RemoteFX on a Single Remote Desktop Virtualization Host Server Step-by-Step Guide Microsoft Corporation Published: October 2010 Abstract This step-by-step guide walks you through the
More informationSecurity Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation
Security Overview for Windows Vista Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation Agenda User and group changes Encryption changes Audit changes User rights New and modified
More informationImplementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Question Number (ID) : 1 (jaamsp_mngnwi-025) Lisa would like to configure five of her 15 Web servers, which are running Microsoft Windows Server 2003, Web Edition, to always receive specific IP addresses
More informationNETWRIX PASSWORD MANAGER
NETWRIX PASSWORD MANAGER ADMINISTRATOR S GUIDE Product Version: 6.1 February/2012 Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment
More informationWindows 7. Qing Liu Qing.Liu@chi.frb.org Michael Stevens Michael.Stevens@chi.frb.org
Windows 7 Qing Liu Qing.Liu@chi.frb.org Michael Stevens Michael.Stevens@chi.frb.org 1 Overview 1. Financial Institution s Preliminary Steps 2. User Interface 3. Data Protection 4. User and Group Changes
More informationOptimization in a Secure Windows Environment
WHITE PAPER Optimization in a Secure Windows Environment A guide to the preparation, configuration and troubleshooting of Riverbed Steelhead appliances for Signed SMB and Encrypted MAPI September 2013
More informationManaging Windows Server 2008 R2
Objective Domain Matrix Skills/Concepts Lesson 2 Managing Windows Server 2008 R2 Objective Domain Description Managing Devices and Device Drivers Understand device drivers. 1.1 Managing Services Understand
More informationContents. Platform Compatibility. Directory Connector SonicWALL Directory Services Connector 3.1.7
Directory Connector SonicWALL Directory Services Connector 3.1.7 Contents Platform Compatibility... 1 New Features... 2 Known Issues... 3 Resolved Issues... 4 Overview... 7 About SonicWALL Single Sign-On
More informationTroubleshooting Windows monitoring 2007 Intellipool AB
Troubleshooting Windows monitoring 2007 Intellipool AB Troubleshooting Windows monitoring 2007 Intellipool AB All rights reserved. No parts of this work may be reproduced in any form or by any means -
More informationUsing Logon Agent for Transparent User Identification
Using Logon Agent for Transparent User Identification Websense Logon Agent (also called Authentication Server) identifies users in real time, as they log on to domains. Logon Agent works with the Websense
More informationNETASQ SSO Agent Installation and deployment
NETASQ SSO Agent Installation and deployment Document version: 1.3 Reference: naentno_sso_agent Page 1 / 20 Copyright NETASQ 2013 General information 3 Principle 3 Requirements 3 Active Directory user
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationActivity 1: Scanning with Windows Defender
Activity 1: Scanning with Windows Defender 1. Click on Start > All Programs > Windows Defender 2. Click on the arrow next to Scan 3. Choose Custom Scan Page 1 4. Choose Scan selected drives and folders
More informationvcloud Director User's Guide
vcloud Director 5.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of
More informationHow the Active Directory Installation Wizard Works
How the Active Directory Installation Wizard Works - Directory Services: Windows Serv... Page 1 of 18 How the Active Directory Installation Wizard Works In this section Active Directory Installation Wizard
More informationWhite Paper. Deploying EUM. SurfControl Web Filter for MS Windows. rev. 1.1, January 2005. Enterprise Threat Protection
White Paper Deploying EUM SurfControl Web Filter for MS Windows rev. 1.1, January 2005 Enterprise Threat Protection ..... ACKNOWLEDGEMENTS SurfControl wishes to acknowledge the following people for their
More informationDell InTrust 11.0. Auditing and Monitoring Microsoft Windows
2014 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement.
More informationDefense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations
Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations March 2009 Version 2.2 This page intentionally left blank. 2 1. Introduction...4
More informationSophos for Microsoft SharePoint startup guide
Sophos for Microsoft SharePoint startup guide Product version: 2.0 Document date: March 2011 Contents 1 About this guide...3 2 About Sophos for Microsoft SharePoint...3 3 System requirements...3 4 Planning
More informationA Nemaris Company. Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher
A Nemaris Company Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher 306 East 15 th Street Suite 1R, New York, New York 10003 Application Name Surgimap Vendor Nemaris Inc. Version
More informationDriveLock Quick Start Guide
Be secure in less than 4 hours CenterTools Software GmbH 2012 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
More informationWhatsUp Event Analyst v10.x Quick Setup Guide
WhatsUp Event Analyst v10.x Quick Setup Guide Contents WhatsUp Event Analyst Quick Setup Guide WhatsUp Event Analyst Quick Setup Guide... 2 Installation Requirements... 3 Before You Begin... 4 Microsoft
More informationPC-Duo Web Console Installation Guide
PC-Duo Web Console Installation Guide Release 12.1 August 2012 Vector Networks, Inc. 541 Tenth Street, Unit 123 Atlanta, GA 30318 (800) 330-5035 http://www.vector-networks.com Copyright 2012 Vector Networks
More informationRandom Password Manager Enterprise Edition
Random Password Manager Enterprise Edition i Contents Copyright Notice 4 Introduction 1 Overview...1 Performance Notes...1 License Agreement...1 Limited Warranty...3 Background and Goals...3 Product Installation
More informationContents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS
SonicOS User Identification Using the Domain Controller Security Log Contents Supported Platforms... 1 Event Viewer... 1 Configuring Group Policy to Enable Logon Audit... 2 Events in Security Log... 4
More informationCHARON-VAX application note
CHARON-VAX application note AN-33 Required Windows Standard Services Author: Software Resources International Date: 16-Jan-2006 Software Resources International (SRI) recommends the use of the host operating
More informationOutpost Network Security
Administrator Guide Reference Outpost Network Security Office Firewall Software from Agnitum Abstract This document provides information on deploying Outpost Network Security in a corporate network. It
More informationSetup and Configuration Guide for Pathways Mobile Estimating
Setup and Configuration Guide for Pathways Mobile Estimating Setup and Configuration Guide for Pathways Mobile Estimating Copyright 2008 by CCC Information Services Inc. All rights reserved. No part of
More informationWindows 7 / Server 2008 R2 Configuration Overview. By: Robert Huth Dated: March 2014
Windows 7 / Server 2008 R2 Configuration Overview By: Robert Huth Dated: March 2014 Expectations This Windows 7 / Server 2008 R2 (Win7-2K8) presentation is a general overview of the technical security
More informationToolbox 3.3 Client-Server Configuration. Quick configuration guide. User manual. For the latest news. and the most up-todate.
User manual Toolbox 3.3 Client-Server Configuration Quick configuration guide For the latest news and the most up-todate information, please consult the Document history Version Comment Version 1.0 30/10/2010,
More informationSophos Enterprise Console Help. Product version: 5.1 Document date: June 2012
Sophos Enterprise Console Help Product version: 5.1 Document date: June 2012 Contents 1 About Enterprise Console...3 2 Guide to the Enterprise Console interface...4 3 Getting started with Sophos Enterprise
More informationHow To Set A Group Policy On A Computer With A Network Security Policy On Itunes.Com (For Acedo) On A Pc Or Mac Mac (For An Ubuntu) On An Ubode (For Mac) On Pc Or Ip
CIS Microsoft Windows XP Benchmark v3.1.0-12-03-2013 http://benchmarks.cisecurity.org The CIS Security Benchmarks division provides consensus-oriented information security products, services, tools, metrics,
More informationBMC Performance Manager Windows Security White Paper DCOM / WMI
BMC Performance Manager Windows Security White Paper DCOM / WMI Problem The IT department delivers user IT services to their internal and external customers. The IT department wants to maintain control
More informationNETWRIX ACCOUNT LOCKOUT EXAMINER
NETWRIX ACCOUNT LOCKOUT EXAMINER ADMINISTRATOR S GUIDE Product Version: 4.1 July 2014. Legal Notice The information in this publication is furnished for information use only, and does not constitute a
More informationKepware Technologies Remote OPC DA Quick Start Guide (DCOM)
Kepware Technologies Remote OPC DA Quick Start Guide (DCOM) March, 2013 Ref. 03.10 Kepware Technologies Table of Contents 1. Overview... 1 1.1 What is DCOM?... 1 1.2 What is OPCEnum?... 1 2. Users and
More informationIntegrating LANGuardian with Active Directory
Integrating LANGuardian with Active Directory 01 February 2012 This document describes how to integrate LANGuardian with Microsoft Windows Server and Active Directory. Overview With the optional Identity
More informationQuick Setup Guide. 2 System requirements and licensing. 2011 Kerio Technologies s.r.o. All rights reserved.
Kerio Control VMware Virtual Appliance Quick Setup Guide 2011 Kerio Technologies s.r.o. All rights reserved. This document provides detailed description on installation and basic configuration of the Kerio
More informationהמרכז ללימודי חוץ המכללה האקדמית ספיר. ד.נ חוף אשקלון 79165 טל'- 08-6801535 פקס- 08-6801543 בשיתוף עם מכללת הנגב ע"ש ספיר
מודולות הלימוד של מייקרוסופט הקורס מחולק ל 4 מודולות כמפורט:.1Configuring Microsoft Windows Vista Client 70-620 Installing and upgrading Windows Vista Identify hardware requirements. Perform a clean installation.
More informationMCSE 2003. Core exams (Networking) One Client OS Exam. Core Exams (6 Exams Required)
MCSE 2003 Microsoft Certified Systems Engineer (MCSE) candidates on the Microsoft Windows Server 2003 track are required to satisfy the following requirements: Core Exams (6 Exams Required) Four networking
More informationXerox EX Print Server, Powered by Fiery, for the Xerox 700 Digital Color Press. Printing from Windows
Xerox EX Print Server, Powered by Fiery, for the Xerox 700 Digital Color Press Printing from Windows 2008 Electronics for Imaging, Inc. The information in this publication is covered under Legal Notices
More informationBelarc Advisor Security Benchmark Summary
Page 1 of 5 The license associated with the Belarc Advisor product allows for free personal use only. Use on multiple computers in a corporate, educational, military or government installation is prohibited.
More information1. Installation Overview
Quick Install Guide 1. Installation Overview Thank you for selecting Bitdefender Business Solutions to protect your business. This document enables you to quickly get started with the installation of Bitdefender
More informationWindows 7, Enterprise Desktop Support Technician
Course 50331D: Windows 7, Enterprise Desktop Support Technician Page 1 of 11 Windows 7, Enterprise Desktop Support Technician Course 50331D: 4 days; Instructor-Led Introduction This four-day instructor-ledcourse
More informationXIA Configuration Server
XIA Configuration Server XIA Configuration Server v7 Installation Quick Start Guide Monday, 05 January 2015 1 P a g e X I A C o n f i g u r a t i o n S e r v e r Contents Requirements... 3 XIA Configuration
More information70-682. Microsoft. Pro: Upgrading to Windows 7 MCITP Enterprise Desktop Support Technician. http://www.pass4sureofficial.com. www.dumpspdf.
70-682 Microsoft Pro: Upgrading to Windows 7 MCITP Enterprise Desktop Support Technician http://www.pass4sureofficial.com Dumpspdf.com is a reputable IT certification examination guide, study guides and
More informationWECCNET MESSAGING SYSTEM CLIENT DOCUMENTATION
TABLE OF CONTENTS WECCNET Messaging System Client Documentation WECCNET MESSAGING SYSTEM CLIENT DOCUMENTATION March 3 rd, 2015 SUPPORT CONTACTS... 2 CLIENT REQUIREMENTS... 2 CLIENT PRECONFIGURATION...
More informationDeploying Windows Streaming Media Servers NLB Cluster and metasan
Deploying Windows Streaming Media Servers NLB Cluster and metasan Introduction...................................................... 2 Objectives.......................................................
More informationUserLock advanced documentation
UserLock advanced documentation 1. Agent deployment with msi package or with the UserLock deployment module The UserLock deployment module doesn t deploy the msi package. It just transfers the agent file
More informationAV-006: Installing, Administering and Configuring Windows Server 2012
AV-006: Installing, Administering and Configuring Windows Server 2012 Career Details Duration 105 hours Prerequisites This course requires that student meet the following prerequisites, including that
More informationFreshservice Discovery Probe User Guide
Freshservice Discovery Probe User Guide 1. What is Freshservice Discovery Probe? 1.1 What details does Probe fetch? 1.2 How does Probe fetch the information? 2. What are the minimum system requirements
More informationSecure configuration document
Secure configuration document Windows 7 Draft 0.1. DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India Document Control S. No.
More informationTerminal Services Tools and Settings - Terminal Services: %PRODUCT%
Page 1 of 10 Terminal Services Tools and Settings In this section Terminal Services Tools Terminal Services Registry Entries Terminal Services Group Policy Settings Terminal Services WMI Classes Network
More informationDeploying BitDefender Client Security and BitDefender Windows Server Solutions
Deploying BitDefender Client Security and BitDefender Windows Server Solutions Quick Install Guide Copyright 2011 BitDefender 1. Installation Overview Thank you for selecting BitDefender Business Solutions
More informationOVERVIEW OF TYPICAL WINDOWS SERVER ROLES
OVERVIEW OF TYPICAL WINDOWS SERVER ROLES Before you start Objectives: learn about common server roles which can be used in Windows environment. Prerequisites: no prerequisites. Key terms: network, server,
More informationWindows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led
Lincoln Land Community College Capital City Training Center 130 West Mason Springfield, IL 62702 217-782-7436 www.llcc.edu/cctc Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led
More informationenicq 5 System Administrator s Guide
Vermont Oxford Network enicq 5 Documentation enicq 5 System Administrator s Guide Release 2.0 Published November 2014 2014 Vermont Oxford Network. All Rights Reserved. enicq 5 System Administrator s Guide
More informationInstallation Notes for Outpost Network Security (ONS) version 3.2
Outpost Network Security Installation Notes version 3.2 Page 1 Installation Notes for Outpost Network Security (ONS) version 3.2 Contents Installation Notes for Outpost Network Security (ONS) version 3.2...
More information